Facebook, PayPal users urged to check logins after hacking

The hacker group Lulz Security is claiming it released log-in information for 62,000 private internet accounts Thursday, including Facebook, PayPal, dating sites, Xbox Live and Twitter.

WARNING: Graphic language

The hacker group Lulz Security is claiming it released log-in information for 62,000 private internet accounts Thursday, including Facebook, PayPal, dating sites, Xbox Live and Twitter.

The list is mostly American accounts but includes hundreds of Canadians, including a CBC journalist from Prince Edward Island, and employees of all three levels of government, including provincial public servants in Alberta, Nova Scotia, and Prince Edward Island and at least one municipal worker in Whitehorse.

Who's on the list

CBC reporter Laura Chapin pored through the list and found more than 100 email addresses ending in .ca in the top sixth of the list, including:

  • Federal government workers from Service Canada, Passport Canada, and Public Safety Canada.

  • Provincial government workers in Prince Edward Island, Nova Scotia and Alberta, including at least one from the P.E.I. Department of Justice and Public Safety.

  • Municipal government workers from several cities, including Whitehorse.

  • Dozens of personal addresses.

Canadians may also be included among the email addresses that don't end in .ca.

The list shows that the most common password is 123456, which shows up almost 600 times. Another very common password is "romance."

Other countries whose citizens were hacked include the United Kingdom, Australia, New Zealand and Brazil.

On its Twitter account, LulzSec said it uploaded the file to a file-sharing site Thursday morning. The site took it down, but it was uploaded again Thursday evening and taken down once more. LulzSec reported thousands of downloads before it was removed.

The group's Twitter feed contains bragging from people who claim to have taken the information and logged on to people's personal sites: taking money from PayPal accounts, replacing dating site profile pictures with pornographic images, and engaging in chats using other people's Facebook accounts.

"Envelope yourself in the sickening realization that you secretly love f--king someone's Facebook life beyond repair," says one tweet from LulzSec.

People concerned that they may be on the list can protect themselves by changing their passwords, provided no one else has already done that using their log-in information. has published a list of emails hacked by LulzSec so people can check if their accounts are at risk.

Lulz Security, also known as LulzSec, was also in the news this week after claiming it had attacked the websites of the CIA and the U.S. Senate. It had previously taken credit for hacking into the systems of Sony and Nintendo and for posting a fake story about dead rapper Tupac Shakur on the PBS website after the public television broadcaster aired a documentary seen as critical of WikiLeaks founder Julian Assange.

Responding to the news Friday, PayPal Canada stressed through a spokesman that its site security has in no way been breached. "The hacker acquired usernames and passwords via another, less secure site, and is encouraging criminals to try the username/password combinations on

"These usernames and passwords are not necessarily associated with PayPal, but if people have used the same usernames/passwords for multiple sites, including PayPal, then their accounts could be accessed by another person."

The spokesman added that PayPal monitors accounts for unusual activity patterns and will contact customers if wrongdoing is suspected.